Main navigation

Last Week on My Mac: Malware has got the upper hand

One of the greatest human achievements during my lifetime has been the eradication of smallpox. From long before the dawn of civilisation until 1977, countless millions had died of that disease. Estimates are that in the twentieth century alone, 300-500 million people around the world died of smallpox. Its toll puts man-made catastrophes such as the world wars into insignificance.

One important reason that we were able to eliminate smallpox, but not still-common virus infections such as the common cold and flu, is that the smallpox virus changed very little. This made it relatively simple to prevent by vaccination – a word which originated in the campaign against smallpox. Colds and flu are much more mutable viruses, each year bringing new strains to defeat existing protection.

So it is with malware. If it never changed, if no one ever developed new malware exploiting newly-discovered vulnerabilities, then we’d not have a problem. Like smallpox, it would be a thing of the past.

Instead, the last week has seen the arrival in the wild of a whole family of new malware affecting macOS: OSX/Dok. At first, one variant was detected, then a second quickly became manifest. Apple very promptly updated protection provided to El Capitan and Sierra, and within days new variants have appeared which circumvent that.

Apple and the vendors of ‘anti-virus’ products are now engaged in a race against the developer of OSX/Dok: each time that protection becomes effective, new variants will appear which sneak through that protection. The protection is then updated again, and the malware changes. A determined and well-resourced team of malware developers can continue this cycle for as long as it takes to achieve their objective. It is a race which is unlikely to have any real winner.

The reason that this is happening is the nature of anti-malware protection in macOS and ‘anti-virus’ products. Like vaccines against colds and flu, protection is determined by quite precise properties of past malware. Today’s protection provides little if any protection against tomorrow’s malware.

Gatekeeper is a good example: each variant of OSX/Dok has been signed using a valid developer’s certificate, issued by Apple to allow it past Gatekeeper’s protection. Apple has very promptly revoked the certificates which OSX/Dok has abused yesterday, but as it cannot know which certificates will be abused next, tomorrow’s variants of OSX/Dok will once again be given the thumbs up by Gatekeeper, and it will not protect Macs from them.

This is not to say that Gatekeeper is now useless, but that it can only form a part of the protection against malware built into macOS. Unfortunately, at present, the other parts have a similar weakness: like almost all ‘anti-virus’ products, they rely on ‘fingerprints’ and very specific properties of the malware that they detect. When the malware behaves like smallpox, that is very effective, as we have seen over the last couple of years.

But when malware behaves like colds and flu as OSX/Dok is doing, Gatekeeper, XProtect, MRT, and other Apple and third-party protection will always lag behind the malware which it is trying to protect against.

This is not the only possible approach to detecting malware, though. It is the one in which there has been most investment, and it is tempting to suggest that one determining factor in that industry strategy is maintaining revenue from subscriptions to ‘virus definitions’ services.

An alternative, which has academic credibility and growing evidence of practical success, is to look for malware behaviours. As Patrick Wardle and others have pointed out, most malware has to remain persistent in order to achieve its objectives. In macOS, there’s a limited number of ways in which apps can become persistent, such as through the LaunchAgent/LaunchDaemon mechanism. One relatively simple way of detecting a lot of malware – including, it would appear, most of the OSX/Dok variants – is to block the installation of LaunchAgents and LaunchDaemons. Yet macOS does not do that, nor do commercial ‘anti-virus’ products.

There is one product which I know of which adopts this different approach to detecting malware. It is the only product which appears to have provided good protection against all the OSX/Dok variants so far studied, from the moment of their release into the wild. It is Objective-See’s BlockBlock (donationware).

Because BlockBlock is not (yet) very widely used – at least in comparison with Apple’s protection built into El Capitan and Sierra – malware developers don’t seem to have looked seriously at how to circumvent its protection. But even if they do, its importance is in demonstrating a new strategy in detecting and stopping malware, a strategy which has so far been badly underused: looking for patterns of behaviour which are suggestive of malware.

To a degree, El Capitan and Sierra already do this in System Integrity Protection (SIP): apps can no longer install malicious kernel extensions in /System/Library/Extensions, LaunchAgents in /System/Library/LaunchAgents, or LaunchDaemons in /System/Library/LaunchDaemons. But /Library/Extensions, /Library/LaunchAgents, and /Library/LaunchDaemons are not watched folders. A developer will need a special certificate to get their kernel extension into the first of those, and the user will need to authenticate as an admin user to install into the latter two, but as OSX/Dok and others have shown, those are not insurmountable problems for the determined malware developer.

With just a month to go to WWDC 2017, and Apple’s expected announcement of macOS 10.13, we can only hope that its security engineers have already worked out and implemented a better strategy. If it isn’t behavioural, like BlockBlock, then Apple will remain stuck in this futile race against malware developers. And we’ll be stuck in between.

9Comments

Something that takes this even further is Jonathan Zdziarski’s LittleFlocker (now F-Secure XFENCE), desribed as ” a firewall for your files. Provides not only persistence monitoring, but granular control over what applications may and may not do on the filesystem everywhere. Great against not only malware, but legitimate apllications that become compromised as well.

Yes: LittleFlocker was on my list of fine security products until it was swallowed up by F-Secure. Unfortunately F-Secure doesn’t make it easy to obtain or assess their products, so I have for the moment put this on ice.
Howard.

Sorry, didn’t leave a link. They claim that they will respect a paid license for anyone who has one for LittleFlocker. I’ve been running it since it was released to beta – the current build is exactly the same as the last LittleFlocker build (1.6.4, I think) as near as I can tell, and has all of the same ups and downs.

Funnily enough, I’ve been exploring writing an app for Macs that would set a permissive AppSandbox/seatbelt policy, log everything, and then allow an actual policy file to be created based on the results. I’ve been using your app framework as a starting point, and it’s been very helpful. You might also find it interesting to look into the OpenBSM auditing framework on MacOS, which is installed and enabled by default. It looks pretty arcane to me so far, but combined with a couple of other tools might provide the kind of EWS app that you’re looking for.

Side note: I would love to see Patrick Wardle release a standalone security “suite” or framework – multiple kernel modules for tool written by one persons causes me great dismay.

Going back to my statement about app writing, what I’d really really love to see is micro-virtualization (a la Bromium) and the associated control granularity, come to MacOS as a whole in a future release.

The good news is, Zdziarski got hired by the Core Security team at Apple, so along with him and Ivan Krstic we can hope that great things are in store (though Krstic seems to have done less than I would have hoped given his tenure there).

You should certainly not try running more than one ‘anti-virus’ protective at a time.
On recent performance, I don’t think that any conventional ‘anti-virus’ product is going to help you much. If you want good protection, use BlockBlock now, together with the built-in protection in macOS, which is at least free. Whether F-Secure’s XFENCE will prove as good, I don’t know – I think more experience is needed.
It is always useful to have a manual-scan app to hand, and for that the free product from Malwarebytes seems proficient.
I can see no good reason for paying another third-party for its ‘protection’, unless of course you are required to by security audit etc.
Howard.

I’ve been testing CylancePROTECT for MacOS recently, it has some very cool features that mitigate exploits but so far hasn’t been great at detecting newer Mac malware. I’m hoping it’ll get better with time though, the mac versions seems a bit young.

Also someone posted the last version of little flocker before it was swallowed up on a github thread so it’s still available for those of us who have licenses.